b'                                        June 30, 2006\n\n\n\n\nMEMORANDUM TO:            Luis A. Reyes\n                          Executive Director for Operations\n\n\n\nFROM:                     Stephen D. Dingbaum /RA/\n                          Assistant Inspector General for Audits\n\n\nSUBJECT:                  EVALUATION OF PERSONAL PRIVACY\n                          INFORMATION FOUND ON NRC NETWORK\n                          DRIVES (OIG-06-A-14)\n\n\nThis report presents the results of the subject evaluation. Agency comments\nprovided at the exit conference on May 18, 2006, and in a written response,\ndated June 20, 2006, have been incorporated, as appropriate, into this report.\nAppendix C contains a copy of the agency\xe2\x80\x99s written comments and our response.\n\nPlease provide information on actions taken or planned on each of the\nrecommendations within 30 days of the date of this memorandum. Actions taken\nor planned are subject to OIG follow up as stated in Management Directive 6.1.\n\nWe appreciate the courtesies and cooperation extended to us by members of\nyour staff during the audit. If you have any questions or comments about our\nreport, please contact me at 301-415-5915, or Beth Serepca at 415-5911.\n\nAttachment: As stated\n\x0cElectronic Distribution\n\nJohn T. Larkins, Executive Director, Advisory Committee on Reactor\n Safeguards/Advisory Committee on Nuclear Waste\nG. Paul Bollwerk, III, Chief Administrative Judge, Atomic Safety and\n Licensing Board Panel\nKaren D. Cyr, General Counsel\nJohn F. Cordes, Jr., Director, Office of Commission Appellate Adjudication\nJesse L. Funches, Chief Financial Officer\nJanice Dunn Lee, Director, Office of International Programs\nRebecca L. Schmidt, Director, Office of Congressional Affairs\nEliot B. Brenner, Director, Office of Public Affairs\nAnnette Vietti-Cook, Secretary of the Commission\nWilliam F. Kane, Deputy Executive Director for Reactor\n  and Preparedness Programs, OEDO\nMartin J. Virgilio, Deputy Executive Director for Materials, Research,\n  State and Compliance Programs, OEDO\nJacqueline E. Silber, Deputy Executive Director for Information Services\n   and Administration, and Chief Information Officer, OEDO\nWilliam M. Dean, Assistant for Operations, OEDO\nTimothy F. Hagan, Director, Office of Administration\nMichael R. Johnson, Director, Office of Enforcement\nGuy P. Caputo, Director, Office of Investigations\nEdward T. Baker, Director, Office of Information Services\nJames F. McDermott, Director, Office of Human Resources\nCorenthis B. Kelley, Director, Office of Small Business and Civil Rights\nJack R. Strosnider, Director, Office of Nuclear Material Safety and Safeguards\nJames E. Dyer, Director, Office of Nuclear Reactor Regulation\nBrian W. Sheron, Director, Office of Nuclear Regulatory Research\nJanet R. Schlueter, Director, Office of State and Tribal Programs\nRoy P. Zimmerman, Director, Office of Nuclear Security and Incident Response\nSamuel J. Collins, Regional Administrator, Region I\nWilliam D. Travers, Regional Administrator, Region II\nJames L. Caldwell, Regional Administrator, Region III\nBruce S. Mallett, Regional Administrator, Region IV\n\x0c            EVALUATION REPORT\n\n\n\n                  Evaluation of Personal Privacy Information\n                       Found on NRC Network Drives\n\n                         OIG-06-A-14 June 30, 2006\n\n\n\n\nAll publicly available OIG reports (including this report) are accessible through\n                              NRC\xe2\x80\x99s Web site at:\n             http:/www.nrc.gov/reading-rm/doc-collections/insp-gen/\n\x0c                                   Office of the Inspector General\n                                    Personal Privacy Information\n                                   Found on NRC Network Drives\n\n\n\n\n                             Contract Number: GS-00F-0001N\n                           Delivery Order Number: DR-36-03-346\n\n                                                        June 29, 2006\n\n\n\n\nThe views, opinions, and findings contained in this report are those of the authors and should not be construed as an official Nuclear Regulatory\n                       Commission position, policy, or decision, unless so designated by other official documentation.\n\x0cPersonal Privacy Information Found on NRC Network Drives\n\n\n\n\n          [Page intentionally left blank]\n\x0c                                Personal Privacy Information Found on NRC Network Drives\n\n\n\nTABLE OF CONTENTS\n\n\nI.     BACKGROUND...................................................................................................... 1\nII.    FINDING ................................................................................................................. 2\nIII.   RECOMMENDATIONS........................................................................................... 6\nIV.    AGENCY COMMENTS ........................................................................................... 7\n\n\nAppendices\n\nA.     SCOPE AND METHODOLOGY ............................................................................. 9\nB.     ILLUSTRATION OF INFORMATION FOUND ...................................................... 11\nC.     FORMAL AGENCY COMMENTS......................................................................... 21\nD.     DETAILED OIG ANALYSIS OF AGENCY COMMENTS...................................... 25\n\n\n\n\n                                                                i\n\x0cPersonal Privacy Information Found on NRC Network Drives\n\n\n\n\n          [Page intentionally left blank]\n\n\n\n\n                           ii\n\x0c                             Personal Privacy Information Found on NRC Network Drives\n\n\n\nI.      BACKGROUND\n\nAs a part of the Fiscal Year (FY) 2006 Federal Information Security Management Act (FISMA)\nindependent evaluation of the Nuclear Regulatory Commission\xe2\x80\x99s (NRC) information security\nprogram, Richard S. Carson and Associates, Inc. (Carson Associates) identified an issue that\nwarrants your attention. Carson Associates found personal privacy information, including Social\nSecurity numbers and dates of birth, on NRC network drives that can be accessed by all agency\nnetwork users. This information may be subject to the provisions of the Privacy Act of 1974.\n\nPersonal privacy information was found on NRC network drives that can be accessed by all\nagency network users because (1) NRC employees are not following existing guidance for\nprotecting personal privacy information, and (2) NRC lacks procedures for monitoring NRC\nnetwork drives for sensitive data. As a result, NRC employees could be at risk for identity fraud,\nand the agency may not be in compliance with the Privacy Act.\n\nPersonal Privacy Information\n\nPersonal privacy information is information about an individual including, but not limited to,\nSocial Security number, home address, home telephone number, date of birth, and financial and\nmedical information.1 Information in identifiable form is information in an information\ntechnology system or online collection: (i) that directly identifies an individual (e.g., name,\naddress, Social Security number or other identifying number or code, telephone number, e-mail\naddress, etc.) or (ii) by which an agency intends to identify specific individuals in conjunction\nwith other data elements, i.e., indirect identification.2\n\nThe Privacy Act of 1974, as amended (5 U.S.C. \xc2\xa7 552a), establishes safeguards for the protection\nof records the Federal government collects, maintains, uses, and disseminates on individuals.\nThe Privacy Act applies to a specific category of personal privacy information in an identifiable\nform \xe2\x80\x94 records3 retrieved by a personal identifier from an agency system of records.4 A\npersonal identifier can be a number assigned to an individual or the individual\xe2\x80\x99s Social Security\nnumber.\n\nPersonal privacy information and information in an identifiable form that is not protected by the\nPrivacy Act also requires appropriate safeguards. Guidance from OMB reminds agencies they\nare required to inform and educate employees and contractors of their responsibility for\nprotecting information in identifiable form. OMB just recently issued a memorandum on\nsafeguarding personally identifiable information.5 That memorandum includes a requirement to\n\n1\n  NRC Yellow Announcement 064, \xe2\x80\x9cPersonal Privacy Information,\xe2\x80\x9d September 26, 2005.\n2\n  Office of Management and Budget (OMB) Memorandum M-03-22, \xe2\x80\x9cOMB Guidance for Implementing the Privacy\n  Provisions of the E-Government Act of 2002,\xe2\x80\x9d September 26, 2002.\n3\n  A record is any item, collection, or grouping of information about an individual that is maintained by an agency,\n  including, but not limited to, his education, financial transactions, medical history, and criminal or employment\n  history and that contains his name, or the identifying number, symbol, or other identifying particular assigned to\n  the individual, such as a finger or voice print or a photograph.\n4\n  A system of records is a group of any records under the control of an agency from which information is retrieved\n  by the name of an individual or by an identifying number, symbol, or other identifier assigned to an individual.\n5\n  OMB Memorandum M-06-15, \xe2\x80\x9cSafeguarding Personally Identifiable Information,\xe2\x80\x9d May 22, 2006.\n\n\n                                                         1\n\x0c                           Personal Privacy Information Found on NRC Network Drives\n\n\n\nremind employees of their specific responsibilities for safeguarding personally identifiable\ninformation.\n\nII.       FINDING\n\nAs a part of the FY 2006 FISMA independent evaluation of the NRC\xe2\x80\x99s information security\nprogram, Carson Associates found personal privacy information, including Social Security\nnumbers and dates of birth, on NRC network drives that can be accessed by all agency network\nusers. This information may be subject to the provisions of the Privacy Act of 1974.\n\nPersonal privacy information was found on the NRC network drives because (1) NRC employees\nare not following existing guidance for protecting personal privacy information, and (2) NRC\nlacks procedures for monitoring NRC network drives for sensitive data. As a result, NRC\nemployees could be at risk for identity fraud, and the agency may not be in compliance with the\nPrivacy Act.\n\nNRC Network Drives\n\nWhen an NRC employee logs in to the NRC network, several local and network drives are made\navailable for use. Local drives are those drives found on the employee\xe2\x80\x99s local workstation (e.g.,\nthe C: drive). Network drives are those drives found on the NRC network and allow the\nemployee to share those drives, and the files stored on them, with other NRC employees. Some\nnetwork drives have limited access, while others can be accessed by all agency network users.\n\nAccording to an NRC announcement dated December 10, 2004, the standard NRC workstation\nlocal drives are:\n\n      \xe2\x80\xa2   A: drive \xe2\x80\x93 diskette drive; used for reading/writing diskettes.\n      \xe2\x80\xa2   C: drive \xe2\x80\x93 primary hard disk drive; used for storage of operating system and applications\n          programs and data.\n      \xe2\x80\xa2   D: drive \xe2\x80\x93 Compact Disk Read-Only Memory (CD-ROM) drive; used for reading data\n          from CD-ROMs.\n\nThe standard NRC workstation network drives are:\n\n      \xe2\x80\xa2   G: drive \xe2\x80\x93 network storage location for an organization, usually at the Office level, to\n          share files and documents (referred to as the \xe2\x80\x9cGroup\xe2\x80\x9d drive).\n      \xe2\x80\xa2   P: drive \xe2\x80\x93 network storage location for individual use (referred to as the \xe2\x80\x9cPersonal\xe2\x80\x9d\n          drive).\n      \xe2\x80\xa2   R: drive \xe2\x80\x93 network storage location for viewing, not editing, files, and documents used\n          by multiple organizations (referred to as the \xe2\x80\x9cRead-only\xe2\x80\x9d drive). The R: drive on each\n          server can be accessed by all agency network users.\n      \xe2\x80\xa2   S: drive \xe2\x80\x93 network storage location for files to be shared among multiple organizations\n          (referred to as the \xe2\x80\x9cShared\xe2\x80\x9d drive). The S: drive on each server can be accessed by all\n          agency network users.\n\n\n                                                      2\n\x0c                         Personal Privacy Information Found on NRC Network Drives\n\n\n\n\n   \xe2\x80\xa2   Y: drive \xe2\x80\x93 network storage location for application-related files shared among multiple\n       organizations. For example, the blank forms used for Informs are stored here. The Y:\n       drive on each server can be accessed by all agency staff; however some files and folders\n       are available for viewing, but not editing.\n\nCarson Associates found the personal privacy information on an R: drive, which according to the\nNRC announcement, can be accessed by all agency network users.\n\nNRC Employees Are Not Following Existing Guidance\n\nTo protect the rights of individuals from invasion of personal privacy, NRC has management\ncontrols throughout its policies and procedures regarding the protection of personal privacy\ninformation. However, NRC\xe2\x80\x99s protection of personal privacy information is weakened by staff\nfailing to follow the agency\xe2\x80\x99s established policies and procedures.\n\nManagement Directive (MD) and Handbook 3.2, Privacy Act, Part V, define the responsibilities\nof NRC employees who work with records containing information about individuals, including\nthe responsibilities of NRC employees. These responsibilities include:\n\n   \xe2\x80\xa2   Disseminate no information concerning individuals to other NRC employees unless they\n       have a \xe2\x80\x9cneed to know\xe2\x80\x9d the information in order to perform their official duties.\n   \xe2\x80\xa2   Maintain and process information concerning individuals in a manner that will ensure no\n       inadvertent or unauthorized disclosures are made of the information.\n\nMD and Handbook 12.5, NRC Automated Information Security Program, state that users shall\nprotect sensitive unclassified information in his or her possession from unauthorized access,\ndisclosure, modification, misuse, damage, or theft.\n\nIn addition to the policies and procedures described above, the NRC Office of Information\nServices issues periodic reminders to NRC employees regarding their responsibility to protect\npersonal privacy information. The most recent reminder was sent in the form of a Yellow\nAnnouncement to all NRC employees on September 26, 2005. The Yellow Announcement\ndefined personal privacy information as information about an individual, including, but not\nlimited to, Social Security number, home address, home telephone number, date of birth, and\nfinancial and medical information. NRC employees and contractors were reminded of their\nresponsibility to protect personal privacy information, whether the information is their own or\nabout others.\n\nIn addition, the NRC announcement regarding NRC local and network drives, dated December\n10, 2004, specifically reminded staff that when a file or document is saved, staff should be aware\nof the location where the data is being stored. The announcement also reminded staff that files\non an R: drive can be viewed by other network users and that data that needs protection from\naccess by other network users can be placed on a diskette or other removable storage media and\nappropriately stored away from the workstation.\n\n\n\n\n                                                    3\n\x0c                         Personal Privacy Information Found on NRC Network Drives\n\n\n\nDespite NRC\xe2\x80\x99s policies and procedures regarding the protection of personal privacy information\nand the periodic reminders sent by the Office of Information Services, Carson Associates found\nseveral documents containing personal privacy information, including Social Security numbers\nand data of birth, on NRC network drives that can be accessed by all agency network users.\nSome of these files include:\n\n   \xe2\x80\xa2   Excel spreadsheets including bonus awards information for Senior Executive Service\n       personnel (including Social Security numbers)\n   \xe2\x80\xa2   Excel spreadsheet containing over 500 employee names and Social Security numbers\n   \xe2\x80\xa2   Eight text files, each containing over 500 employee names, Social Security numbers, and\n       dates of birth\n\nAccording to the agency, R: drives are read only for users. Files are added to it by systems\nadministrators in the Network Operations Center who have write privileges. See Appendix B for\nscreen shots of some of the files found on the NRC network drives. NOTE: Appendix B will be\nredacted in the publicly available version of the report.\n\nNRC Lacks Procedures for Monitoring NRC Network Drives\n\nMD and Handbook 3.2 state that office directors and regional administrators are responsible for\nconducting periodic reviews of systems of records under their control to ensure compliance with\nguidelines and procedures implementing the Privacy Act.\n\nHowever, none of NRC\xe2\x80\x99s policies and procedures specifically describe procedures for\nmonitoring NRC network drives for the presence of personal privacy information to ensure it is\nbeing properly controlled in accordance with the NRC policies and procedures. According to the\nagency, drive owners frequently review shared drive components, however only on an ad hoc\nbasis.\n\nThese ad hoc reviews are not sufficient, as some of the files found containing personal privacy\ninformation are almost 10 years old.\n\nNRC Employees Are At Risk for Identity Fraud\n\nDue to the presence of personal privacy information on NRC network drives that can be accessed\nby all agency network users, NRC employees are at risk for identity fraud. Identity fraud is the\ndeliberate assumption of another person\xe2\x80\x99s identity, most often to gain access to his or her\nfinances. Approximately 11.8 million Americans (1 in 20 adults) have been victimized by\nidentity fraud as of April 2003, according to research by Star Systems. In many instances, a\ncriminal only needs a name, Social Security number, and date of birth to commit identity fraud.\nIdentity fraud can result in both financial costs to the victim, but also lost time spent trying to\nrestore damaged credit resulting from the identity fraud.\n\n\n\n\n                                                    4\n\x0c                                Personal Privacy Information Found on NRC Network Drives\n\n\n\nThe Agency May Not Be In Compliance With the Privacy Act\n\nThe personal privacy information found on NRC network drives that can be accessed by all\nagency network users is similar to information found in more than one of NRC\xe2\x80\x99s systems of\nrecords published in the Federal Register6 and also fits the definition of a duplicate system of\nrecords. As defined in MD and Handbook 3.2, a duplicate system of records is a group of\nrecords that are similar to records contained in an NRC system of records. It need not contain all\nof the records contained in the primary system. The information also meets the criteria of a\n\xe2\x80\x9crecord\xe2\x80\x9d as defined by the Privacy Act.\n\nCarson Associates could not determine whether the personal privacy information found on the\nNRC network drives came from, or is maintained as a part of, a Privacy Act system of records,\nor if the information is considered a duplicate system of records. However, if the information\ndid come from a system of records, or is determined to be a duplicate system of records, then the\nagency may not be in compliance with the Privacy Act.\n\n\n\n\n6\n    Federal agencies covered by the Privacy Act are required to publish descriptions of their systems of records in the\n    Federal Register. Each Federal Register notice for a system of records includes information regarding agencies\n    policies and practices regarding storage, retrieval, safeguards, and disposal of records in the system.\n\n\n                                                             5\n\x0c                           Personal Privacy Information Found on NRC Network Drives\n\n\n\nIII.      RECOMMENDATIONS\n\nThe Office of the Inspector General recommends that the Executive Director for Operations:\n\n       1. Remind employees of their responsibilities to protect personal privacy information.\n\n       2. Remind employees that files on network drives may be viewed by other network users\n          and that personal privacy information should not be posted on network drives unless\n          access to that information is appropriately restricted to users with a \xe2\x80\x9cneed to know.\xe2\x80\x9d\n\n       3. Develop polices and procedures for reviewing network drives for the presence of\n          personal privacy information.\n\n       4. Conduct an immediate review of all network drives for the presence of personal privacy\n          information and remove any information that should not be posted on a network drive\n          unless access to that information is appropriately restricted to users with a \xe2\x80\x9cneed to\n          know.\xe2\x80\x9d\n\n\n\n\n                                                      6\n\x0c                       Personal Privacy Information Found on NRC Network Drives\n\n\n\nIV.    AGENCY COMMENTS\n\nAt an exit conference with the agency held on May 18, 2006, the agency provided informal\ncomments and generally agreed with the report recommendations. On June 20, 2006, the agency\nprovided a formal response with additional comments. Where appropriate, the Office of the\nInspector General (OIG) modified the report in response to these comments. Appendix C\ncontains a copy of the agency\xe2\x80\x99s formal written comments. Appendix D contains OIG\xe2\x80\x99s specific\nresponses to the agency\xe2\x80\x99s comments.\n\n\n\n\n                                                  7\n\x0cPersonal Privacy Information Found on NRC Network Drives\n\n\n\n\n          [Page intentionally left blank]\n\n\n\n\n                           8\n\x0c                        Personal Privacy Information Found on NRC Network Drives\n\n\n\nA.     SCOPE AND METHODOLOGY\n\nTo prepare this report, Carson Associates reviewed MD 3.2 and MD 12.5, NRC\xe2\x80\x99s Privacy Act\nsystems of records notice in the Federal Register, and several NRC announcements found on the\nNRC internal web site. Carson Associates also conducted an interview with NRC\xe2\x80\x99s senior\ninformation technology security officer and other staff members from the Office of Information\nServices. The work was conducted during April and May 2006 in accordance with best practices\nfor evaluating security controls. Jane M. Laroussi, CISSP, and Kelby M. Funn, CISA, from\nCarson Associates conducted the work.\n\n\n\n\n                                                   9\n\x0cPersonal Privacy Information Found on NRC Network Drives\n\n\n\n\n          [Page intentionally left blank]\n\n\n\n\n                          10\n\x0c                Personal Privacy Information Found on NRC Network Drives\n\n\n\n\nB.   ILLUSTRATION OF INFORMATION FOUND\n\n\n\n\nOFFICIAL USE ONLY APPENDIX HAS BEEN REDACTED FOR PUBLIC RELEASE\n\n\n\n\n                                          11\n\x0c               Personal Privacy Information Found on NRC Network Drives\n\n\n\n\nOFFICIAL USE ONLY APPENDIX HAS BEEN REDACTED FOR PUBLIC RELEASE\n\n\n\n\n                                         12\n\x0c               Personal Privacy Information Found on NRC Network Drives\n\n\n\n\nOFFICIAL USE ONLY APPENDIX HAS BEEN REDACTED FOR PUBLIC RELEASE\n\n\n\n\n                                         13\n\x0c               Personal Privacy Information Found on NRC Network Drives\n\n\n\n\nOFFICIAL USE ONLY APPENDIX HAS BEEN REDACTED FOR PUBLIC RELEASE\n\n\n\n\n                                         14\n\x0c               Personal Privacy Information Found on NRC Network Drives\n\n\n\n\nOFFICIAL USE ONLY APPENDIX HAS BEEN REDACTED FOR PUBLIC RELEASE\n\n\n\n\n                                         15\n\x0c               Personal Privacy Information Found on NRC Network Drives\n\n\n\n\nOFFICIAL USE ONLY APPENDIX HAS BEEN REDACTED FOR PUBLIC RELEASE\n\n\n\n\n                                         16\n\x0c               Personal Privacy Information Found on NRC Network Drives\n\n\n\n\nOFFICIAL USE ONLY APPENDIX HAS BEEN REDACTED FOR PUBLIC RELEASE\n\n\n\n\n                                         17\n\x0c               Personal Privacy Information Found on NRC Network Drives\n\n\n\n\nOFFICIAL USE ONLY APPENDIX HAS BEEN REDACTED FOR PUBLIC RELEASE\n\n\n\n\n                                         18\n\x0c               Personal Privacy Information Found on NRC Network Drives\n\n\n\n\nOFFICIAL USE ONLY APPENDIX HAS BEEN REDACTED FOR PUBLIC RELEASE\n\n\n\n\n                                         19\n\x0c               Personal Privacy Information Found on NRC Network Drives\n\n\n\n\nOFFICIAL USE ONLY APPENDIX HAS BEEN REDACTED FOR PUBLIC RELEASE\n\n\n\n\n                         [Page intentionally left blank]\n\n\n\n\n                                         20\n\x0c               Personal Privacy Information Found on NRC Network Drives\n\n\n\nC.   FORMAL AGENCY COMMENTS\n\n\n\n\n                                         21\n\x0cPersonal Privacy Information Found on NRC Network Drives\n\n\n\n\n         Official Use Only Marking Removed Per\n         OEDO E-mail Dated 6/28/06 \xe2\x80\x93 See Page 21\n\n\n\n\n                          22\n\x0cPersonal Privacy Information Found on NRC Network Drives\n\n\n\n\n                          23\n\x0cPersonal Privacy Information Found on NRC Network Drives\n\n\n\n\n                          24\n\x0c                         Personal Privacy Information Found on NRC Network Drives\n\n\n\nD.     DETAILED OIG ANALYSIS OF AGENCY COMMENTS\n\nAt an exit conference with the agency held on May 18, 2006, the agency provided informal\ncomments and generally agreed with the report recommendations. On June 20, 2006, the agency\nprovided a formal response with additional comments (see Appendix C).\n\nBelow is OIG\xe2\x80\x99s analysis of the agency\xe2\x80\x99s formal comments. NRC\xe2\x80\x99s comments appear in bold\nitalics.\n\nThroughout the document the phrase \xe2\x80\x9caccessed by all agency network users\xe2\x80\x9d should be\nrevised to read \xe2\x80\x9caccessed by agency network users assigned to the particular server.\xe2\x80\x9d The\nstatement, as currently written in the report, exaggerates the size of the population that had\npotential access to the information.\n\nOIG did not modify the report. According to the NRC announcement dated December 10, 2004,\nthe \xe2\x80\x9cR: drive on each server can be accessed by all agency network users.\xe2\x80\x9d The personal privacy\ninformation was found on an \xe2\x80\x9cR:\xe2\x80\x9d drive; therefore according to the announcement, it can be\naccessed by all agency network users. Further, the agency was unable to provide support that the\ndrive is restricted.\n\nThe Privacy Act of 1974 is referred to in this document as the \xe2\x80\x9cFederal\xe2\x80\x9d Privacy Act of 1974.\nThe word \xe2\x80\x9cFederal\xe2\x80\x9d is not part of the proper name of the statute and should be removed.\n\nOIG modified the text as recommended. However it should be noted that MD 3.2 and the\naccompanying Handbook include the word \xe2\x80\x9cFederal\xe2\x80\x9d when introducing the Act for the first time.\n\nReference to Management Directive 3.2, \xe2\x80\x9cPrivacy Act,\xe2\x80\x9d is inappropriate, since it presumes\nthat the Privacy Act is a core issue in this matter. The reference to the Privacy Act is\nemphasized in the report and creates the mistaken impression that some kind of Privacy Act\nviolation was found.\n\nOIG did not remove references to MD 3.2, as this directive was used to determine whether the\nPrivacy Act was applicable to the information found on the NRC network drives. One of the\nobjectives of the directive is to \xe2\x80\x9censure that NRC collects, maintains, uses, and disseminates any\nrecord of identifiable personal information in a manner that ensures that the action is for a\nnecessary and lawful purpose, that the information is current and accurate for its intended use,\nand that adequate safeguards are provided to prevent misuse of the information.\xe2\x80\x9d\n\nThe second paragraph provides the correct definitions of a record and a system of records\nunder the Privacy Act. However, it is important to note that the described types of records\nwould be protected by the provisions of the Privacy Act only if they were part of a system of\nrecords. These types of records can exist in a collection or grouping of agency records that do\nnot meet the criteria of a system of records (where information is not retrieved by a name or\npersonal identifier) and therefore would not be protected by the Privacy Act.\n\n\n\n\n                                                   25\n\x0c                               Personal Privacy Information Found on NRC Network Drives\n\n\n\nOIG modified the text to include the definitions of personal privacy information and information\nin an identifiable form, which also require adequate safeguards. The definitions of a record and a\nsystem of records remain in the report, but as footnotes. However, it should be noted that some\ncourts have held that the \xe2\x80\x9csystem of records\xe2\x80\x9d threshold requirement is not necessarily applicable\nto all subsections of the Act, including the subsection requiring the establishment of appropriate\nadministrative, technical, and physical safeguards to ensure the security and confidentiality of\nrecords.7 Some courts have held that this subsection can also apply to records that are not part of\na system of records.\n\nNRC Employees Are Not Following Existing Guidance, pages 3-5 (which appears on pages 3-4\nof this final report)\n\nThe end of the first sentence in the first paragraph reads \xe2\x80\x9censure that personal privacy\ninformation is protected from unauthorized disclosure\xe2\x80\x9d and implies two things that are\nincorrect. One is that the agency made an affirmative release of the information (implied\nfrom the use of the term \xe2\x80\x9cdisclosure\xe2\x80\x9d versus \xe2\x80\x9cpermitting access\xe2\x80\x9d or something similar). The\nother is the suggestion that there is a Privacy Act violation, due to reliance on the term\n\xe2\x80\x9cunauthorized.\xe2\x80\x9d This overstates the situation. The phrase \xe2\x80\x9cunauthorized disclosure\xe2\x80\x9d should\nbe replaced with \xe2\x80\x9cuncontrolled access.\xe2\x80\x9d The availability of personal privacy information on\nthe network drive is not an unauthorized disclosure but a failure by the staff to institute\nappropriate access controls.\n\nOIG modified the text to describe the agency\xe2\x80\x99s policies and procedures as being related to the\nprotection of personal privacy information rather than unauthorized disclosure.\n\nRegarding the last sentence of the last paragraph, in the event the final document is released\nto the public, the public version should not include the enclosure referenced in the document.\nThe enclosure contains actual samples of some of the personal privacy information, and that\nrelease itself would result in a much greater breach of an individual\xe2\x80\x99s expectation of privacy\nthan that highlighted in the report.\n\nOIG modified the report so that Appendix B, which contains the samples of the personal privacy\ninformation, is marked \xe2\x80\x9cOfficial Use Only \xe2\x80\x93 Sensitive Internal Information.\xe2\x80\x9d Appendix B will\nbe redacted in the publicly available version of the report.\n\nNRC Employees are At Risk for Identity Fraud, page 6 (which appears on page 4 of this final\nreport)\n\nThe section heading and first sentence imply that there remains a threat of identity theft. The\nstaff took immediate action and deleted the files identified in the report that contained\npersonal privacy information. Therefore, the sentence should clarify this point along the\nfollowing lines: \xe2\x80\x9cThe presence of personal privacy information on NRC network drives that\ncan be accessed by agency network users may place NRC employees at risk for identity fraud.\xe2\x80\x9d\nA more accurate heading for this section would be \xe2\x80\x9cRisk of Identity Fraud.\xe2\x80\x9d\n\n\n7\n    \xe2\x80\x9cOverview of the Privacy Act of 1974,\xe2\x80\x9d United States Department of Justice, May 2004.\n\n\n                                                         26\n\x0c                          Personal Privacy Information Found on NRC Network Drives\n\n\n\nOIG did not modify the report as the threat still remains. At least one of the files identified in the\nreport was still on the NRC network drive as of June 28, 2006. The files that have been removed\ncould have been accessed at any time prior to their removal, and the information from those files\nstill could be used to commit identity fraud.\n\nThe Agency May Not Be In Compliance With The Privacy Act, page 6 (which appears on page\n5 of this final report)\n\nThere is no basis upon which to make this assertion, since it has not been established that any\nPrivacy Act information was involved in this matter, as acknowledged in the report itself.\nTherefore, there is far too much emphasis on the Privacy Act, including reference to the\ndefinition of a \xe2\x80\x9cduplicate system of records,\xe2\x80\x9d which is specific to the Privacy Act. Taken\ntogether, the clear implication is that a Privacy Act violation occurred, but the plain evidence\nof that is lacking. Misplaced reference to the Privacy Act in the report as a whole repeatedly\nhints that violations of this law occurred, which has no foundation in fact.\n\nOIG did not modify the report. The intent of the report was to alert the agency to the presence of\nthe personal privacy information on NRC network drives, not to investigate where the\ninformation came from. The finding only points out that the information found may be Privacy\nAct information.\n\nRecommendations, page 7 (which appear on page 6 of this final report)\n\nThe recommendations could acknowledge that the agency already takes action as described in\nat least one recommendation; namely, the agency does remind employees of their\nresponsibility to protect personal privacy information. Indeed, in the section entitled \xe2\x80\x9cNRC\nEmployees Are Not Following Existing Guidance,\xe2\x80\x9d the report credits the Office of\nInformation Services with issuing \xe2\x80\x9cperiodic reminders to NRC employees regarding their\nresponsibility to protect personal privacy information,\xe2\x80\x9d and the report even refers to the most\nrecent reminder in the form of a Yellow Announcement dated September 26, 2005.\n\nOIG did not modify the report. At the exit conference, the agency generally agreed with the\nreport recommendations. The report already acknowledges actions currently taken by the\nagency. The finding points out that the current actions are not adequate as employees are not\nfollowing the existing guidance.\n\n\n\n\n                                                    27\n\x0cPersonal Privacy Information Found on NRC Network Drives\n\n\n\n\n          [Page intentionally left blank]\n\n\n\n\n                          28\n\x0c'